Bitcoin Forum
December 10, 2016, 04:47:17 PM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: Trojan.NSIS.Miner.a and NO botnet Cheating on DeepBit  (Read 3885 times)
BitcoinPorn
Hero Member
*****
Offline Offline

Activity: 560


Posts: 69


View Profile WWW
June 29, 2011, 08:13:48 PM
 #1

http://www.securelist.com/en/blog/208188132/Gold_rush

Quote
Today our analysts detected a new threat spreading in the Russian sector of the Internet – Trojan.NSIS.Miner.a. This Trojan has two components – the legitimate bcm.exe file BitCoin Miner (not-a-virus:RiskTool.Win32.BitCoinMiner.a), and a malicious module that installs bcm without the user’s knowledge and adds it to the autorun registry. The infected computer then starts to generate bit-coins for the Trojan’s author.

Of course, the Trojan’s code clearly indicates the server address where the cybercriminal’s account is located.



We decided to see how successful our nameless ‘miner’ was, and ended up getting a bit of a surprise.


Found from http://www.reddit.com/r/Bitcoin/comments/icgo4/trojannsisminera_used_to_secretly_mine_bitcoin_on/

1481388437
Hero Member
*
Offline Offline

Posts: 1481388437

View Profile Personal Message (Offline)

Ignore
1481388437
Reply with quote  #2

1481388437
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481388437
Hero Member
*
Offline Offline

Posts: 1481388437

View Profile Personal Message (Offline)

Ignore
1481388437
Reply with quote  #2

1481388437
Report to moderator
1481388437
Hero Member
*
Offline Offline

Posts: 1481388437

View Profile Personal Message (Offline)

Ignore
1481388437
Reply with quote  #2

1481388437
Report to moderator
gentakin
Member
**
Offline Offline

Activity: 98


View Profile
June 29, 2011, 08:18:30 PM
 #2

Hats off to Tycho for blocking botnets automatically! Remember, it's causing a loss of 3% pool fees.

1HNjbHnpu7S3UUNMF6J9yWTD597LgtUCxb
SlaveInDebt
Hero Member
*****
Offline Offline

Activity: 701


Your Minion


View Profile
June 29, 2011, 08:31:27 PM
 #3

How about other pools? They have measure's in place against this?

"A banker is a fellow who lends you his umbrella when the sun is shining, but wants it back the minute it begins to rain." - Mark Twain
finack
Jr. Member
*
Offline Offline

Activity: 56


View Profile
June 30, 2011, 12:40:27 AM
 #4

Hats off to Tycho for blocking botnets automatically! Remember, it's causing a loss of 3% pool fees.

That's not how I read the screenshot. Look at the account's current hash rate, about 4 GH. So he's letting them get work and submit it, he's likely just made it so it isn't accumulating bitcoins for it - meaning instead of a 3% share of their work he's getting a 100% share of it.
[Tycho]
Hero Member
*****
Offline Offline

Activity: 742



View Profile WWW
June 30, 2011, 09:54:16 PM
 #5

Hats off to Tycho for blocking botnets automatically! Remember, it's causing a loss of 3% pool fees.
That's not how I read the screenshot. Look at the account's current hash rate, about 4 GH. So he's letting them get work and submit it, he's likely just made it so it isn't accumulating bitcoins for it - meaning instead of a 3% share of their work he's getting a 100% share of it.
No. In this "warning" state at the moment of taking this screenshot all account/workers configuration options are disabled, but mining still continues and he gets his reward.
Then if we don't receive any explanation from user, his workers are blocked and he won't get any work (his miners will stop).
Mining operations on this account were already blocked when I saw this topic.

This red message turned out to be a bit misleading, I'll correct it now.

Welcome to my bitcoin mining pool: https://deepbit.net - Both payment schemes (including PPS), instant payout, no invalid blocks !
ICBIT Trading platform : USD/BTC futures trading, Bitcoin difficulty futures (NEW!). Third year in bitcoin business.
malevolent
can into space
Staff
Legendary
*
Offline Offline

Activity: 1624



View Profile
July 01, 2011, 10:18:44 AM
 #6

Good job!
Veldy
Member
**
Offline Offline

Activity: 98



View Profile
July 02, 2011, 04:14:16 AM
 #7

Awesome!  Great to learn of additional security measures in place; I don't think this was ever announced.  I finally decided to lock my payout address a couple of weeks ago, so I am really surprised that such a trojan/bot was created [not to mention it shows identity].  I don't know if most people have locked their address, but I hope so. At first I didn't like the idea, but now it doesn't matter.  I shuttle my coins to another wallet ... another client on one of my mining boxes and once confirmed to my satisfaction, I shut the client down, encrypt the wallet.dat to wallet.dat.asc and put it in safe storage.  No decryption keys on ANY of my machines nor accessible to anybody unless they get to one of a few locations ... and past my dogs, security system, and my pistol or shotgun (no joke) in one of the locations ... where I live Smiley.

I highly recommend a backup wallet and full public/private key encryption to avoid significant exposure should your machine be compromised [including physically].

If you have found my post helpful, please donate what you feel it is worth: 18vaZ4K62WiL6W2Qoj9AE1cerfCHRaUW4x
Tasty Champa
Member
**
Offline Offline

Activity: 84


View Profile
July 02, 2011, 04:30:10 AM
 #8

Honesty,
Fuckin NICE! Smiley


Deepbit +1
airdata
Sr. Member
****
Offline Offline

Activity: 406


View Profile
July 02, 2011, 04:53:08 AM
 #9

Wonder what flags they set?

If you just threw it to full speed a user would likely find it fast if they were having full cpu constantly.
steelhouse
Hero Member
*****
Offline Offline

Activity: 700


View Profile
July 03, 2011, 12:24:53 AM
 #10

I think I might of had this, however it shows slow mh/s on your computer.  What I did was reinstall windows to fix it.
d3m0n1q_733rz
Sr. Member
****
Offline Offline

Activity: 378



View Profile WWW
July 08, 2011, 08:29:41 AM
 #11

If you do happen to find this, there's one of two places the autorun could be located.  One is in your start menu.  The other is in your Task Scheduler.  Very rarely will you find it in your registry, but if you see the miner running and you didn't install it, run a registry search to see if you can find any instance of it or a batch file to run it.

Funroll_Loops, the theoretically quicker breakfast cereal!
Check out http://www.facebook.com/JupiterICT for all of your computing needs.  If you need it, we can get it.  We have solutions for your computing conundrums.  BTC accepted!  12HWUSguWXRCQKfkPeJygVR1ex5wbg3hAq
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!